Channels

Services

Simple Conficker test for end users

Joe Stewart of SecureWorks has developed a simple test which reveals at a glance whether or not a system has been infected with one of the wide-spread versions of Conficker. The H now offers our own version of this test page.

If certain images are missing on the test page as shown, the system is likely to be infected.
Once a Conficker infection is suspected on a system, the anti-virus software installed on that system can no longer be trusted. The malware terminates a number of security mechanisms and prevents the start of certain programs. The new test is based on the fact that Conficker blocks access to various security and anti-virus pages. It includes a page that shows images of normal and of blocked sites. If only the images of the AV vendors are missing, there is a high likelihood that the computer has been infected with Conficker – or with another type of malware that behaves in a similar way.

Affected systems should, at the least, be treated with one of the Conficker removal tools. With this in mind, users are advised not to blindly follow the first link that comes up but look for a trustworthy vendor instead (see: Freeloaders are taking advantage of Conficker scare).

Users should also be aware that the test has several limitations. Conficker infiltrates dnsapi.dll and filters accesses by blocking DNS queries there. This, however, does not affect systems that involve a proxy. As a result, the test is not suitable for environments like corporate networks, where a network scanner capable of detecting Conficker should be used instead.

Another problem is that the original version Conficker.A doesn't block DNS queries, which makes it impossible for the test page to reveal version A infections. However Conficker.A is less common than its successors Conficker.B & C.

Felix Leder und Tillmann Werner, the authors of the honeynet paper analysing conficker, also put up a test page that uses the fact that Conficker blocks DNS reqeuests. They use CSS style sheets to diagnose infections with Conficker B/C.

Rather embarrassingly, the Conficker Working Groupadopted Stewart's original test without pointing out that it doesn't detect Conficker.A. Instead, users are presented with the misleading message: "Not Infected by Conficker." One would think that an organisation which includes both Microsoft and all the major AV vendors would check its tests before releasing them.